How to Fix WordPress Website Malware

Introduction

It’s always a huge problem when a WordPress website gets hacked and loaded with a ton of malware. Not only can it affect your SEO, but the malware will also tear your website apart with what looks to be unlimited pop-ups. I’ve seen times where malware will cause computer viruses to be downloaded to the computer of any visitor that goes to your website. This could be a reason why Google will penalize your website when their crawlers detect malware.

Why does it happen?

WordPress much like many other platforms is prone to hacks but what makes WordPress more vulnerable is the fact that it’s extremely popular and plugins are not vetted for security or best practices. Your hosting can play a major factor as well. If your hosting provider is not keeping your hosting packages such as PHP up to date, your site will be vulnerable. For this reason, we always keep our hosting packages up to date at MageHD Hosting. Any time we build a new website, the first thing we add is security optimization. I can’t explain a lot of what we do since it’s proprietary information but I can say Wordfence is one of, if not the Major security plugin we add to our builds.

If you do not have Wordfence and would like to know what files are infected, you can get a free site scan by Securi by clicking this link Securi.net.

The Symptoms

You would be surprised that many of the symptoms are not apparent. A lot of the times, you may not even know your site has malware until something breaks. Maybe a page doesn’t load properly or has a blank page. You may even start seeing weird PHP errors. If you’re running the WooCommerce plugin, you may get complaints from your customers about credit card fraud. It all depends on the type of malware and the intentions of the creator which can range from advertising by blasting every page with 100 pop-ups or credit card fraud.

How Do I Fix it?

Before one can fix a malware hack, one has to understand how it works. The fix will not work for everybody but it is definitely worth a try given the circumstances.

Complex Malware

The reason why it may not work for everybody is that some malware has a way of duplicating itself and returning. Essential, the malware developer will create one file. This file we can call the “Master File”. This master file is responsible for checking if the malware code snippet is still present in your file system. If you’ve ever wondered why malware keeps returning, this is why. The malware developer will cleverly attach this file to either a PHP script that runs on a cron job or a PHP script that is used on typical tasks. For instance, every time a user creates a new post, the PHP script to create a new post would trigger the execution of that “Master File”. Finding this master is very tricky, the majority of the time we have to download the full file system and trace back from the modified WordPress core scripts that have the malware included. This method is very time consuming and daunting so if this is the route you need to go, warm up a pot of coffee and get your favorite chair back massager because you will be there for a while.

There’s a little twist to complex malware. A lot of the times malware is designed to be untraceable. The best way to trace it back to the master file is to search through the file system and seek out the function that is in the malware code. Example: in the image below of a malware code snippet we can see that the “@include” function is used. We also see that whatever is creating this snippet, is commenting the code with “/*075c5*/”. These 2 pieces of text are what I would use to search within the file system for the suspect, the “Master File”.

Once the master file has been found, you can proceed to remove the code snippets out of the file system without having to worry about them returning.

Simple Malware

We consider simple malware as one that does not have a master file as mentioned above. To fix simple malware it’s as easy as removing the snippet similar to the above image. To make things that much easier, This can be done in Wordfence. Wordfence will not only scan your system for modified WordPress core files but it allows you to scans for malware, allows you to restore the core files and also delete malicious files.

Conclusion

With the increase of WordPress popularity, you can expect an increase in malicious developers creating malware. Keep the plugins in your website to a minimum, use security plugins like Wordfence, and stay on top of your hosting providor about keeping your hosting environment up to date.

Gary Pettigrew is a pioneer in the web development industry. He has been developing since the life of Windows 3.1 .His experience and knowledge include Visual Basics, C#, .Net, HTML, PHP, Javascript, Node.js, Laravel, and many other technologies.

Too Awesome!

5.0 rating

April 11, 2019

MageHD built and manages our website–we couldn’t have asked for better service!!! Gary is very knowledgeable! We would be lost without him. He takes great care in understanding our needs and gives input to elevate every aspect of the experience for us and our customers.

Denver

Loving my new website

5.0 rating

April 11, 2019

I recently launched my e-commerce website with MageHD and I couldn’t be happier. Working with Gary was very pleasant as he understood my vision and even offered a few suggestions to take the site to another level and make it stand out from the crowd.
Gary responds quickly to any and all maintenance concerns I have and is very easy to work with.
I can’t express my gratitude enough for his exceptional work.